DevHeads.net

Postings by Neal Becker

mercurial CVEs - plan for f25 and f26 updates

Mercurial's symlink auditing was incomplete prior to 4.3, and could be
abused to write to files outside the repository.

CVE-2017-1000116:

Mercurial was not sanitizing hostnames passed to ssh, allowing shell
injection attacks by specifying a hostname starting with -oProxyCommand.

can I "watch" a project in bodhi?

If not, it would be a handy feature - to be notified of any updates. I
didn't see it looking at <a href="https://bodhi.fedoraproject.org/" title="https://bodhi.fedoraproject.org/">https://bodhi.fedoraproject.org/</a>

mercurial 4.1.3 for f26

Mercurial < 4.1.3 has a security issue, and an update is highly recommended
<a href="https://www.mercurial-scm.org/pipermail/mercurial-packaging/2017-April/000202.html" title="https://www.mercurial-scm.org/pipermail/mercurial-packaging/2017-April/000202.html">https://www.mercurial-scm.org/pipermail/mercurial-packaging/2017-April/0...</a>

I propose to update f26 for 4.1.3.
torgoisehg 4.1.3 is (just now) also available.

It would be advisable to backport patches to earlier versions.

kinit OK, but howto ssh?

kinit <a href="mailto: ... at FEDORAPROJECT dot ORG"> ... at FEDORAPROJECT dot ORG</a>
Password for ... at FEDORAPROJECT dot ORG:
[nbecker@nbecker2 ~]$ ssh <a href="mailto: ... at fedoraproject dot org"> ... at fedoraproject dot org</a>
Permission denied (publickey).

static linking a library

Mercurial upstream is asking about a compression library zstd.

Specifically:
<a href="https://www.mercurial-scm.org/pipermail/mercurial-packaging/2016-November/000178.html" title="https://www.mercurial-scm.org/pipermail/mercurial-packaging/2016-November/000178.html">https://www.mercurial-scm.org/pipermail/mercurial-packaging/2016-Novembe...</a>

I believe the proposed solution here:
<a href="https://www.mercurial-scm.org/pipermail/mercurial-packaging/2016-December/000182.html" title="https://www.mercurial-scm.org/pipermail/mercurial-packaging/2016-December/000182.html">https://www.mercurial-scm.org/pipermail/mercurial-packaging/2016-Decembe...</a>

which is to statically link the library to the mercurial executable would
also raise issues?

f25 builds in copr?

It seems at this time f25 builds are not yet turned on in copr.

test dnf system-upgrade (failed?)

I tried to test upgrade f24->f25:

sudo dnf system-upgrade download --refresh --releasever=25 --allowerasing

but it wanted to downgrade a large number of packages, particularly texlive:
[hundreds of downgrades...]
texlive-zlmtt noarch
5:svn34485.1.01-17.fc25.1 fedora
35 k

Just checking that last one:
rpm -q texlive-zlmtt
texlive-zlmtt-svn34485.1.01-24.fc24.1.noarch

Yup, the f24 version seems to be newer.

I suppose this is not the correct procedure?

emacs patched for x2go on copr

Many of us have experience that emacs cannot run under x2go.
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1349412" title="https://bugzilla.redhat.com/show_bug.cgi?id=1349412">https://bugzilla.redhat.com/show_bug.cgi?id=1349412</a>

There is no actual fix, but we can't live without emacs, so I am putting up
a version on copr which has a workaround (configure options).

It is named:
e.g., emacs-filesystem-25.1-2.x2go.fc24.noarch.rpm

I think this complies with naming conventions.

update mercurial to 4.0 in rawhide

I'm planning to update mercurial to 4.0 for rawhide. Any objections?

dnf should not update debuginfo if not updating packgages

sudo dnf update
...
updates 77 k
mercurial-debuginfo x86_64 4.0-1.fc24
...
nbecker-mercurial-3 190 k
Skipping packages with broken dependencies:
mercurial x86_64 4.0-1.fc24
nbecker-mercurial-3 3.6 M
mercurial-hgk x86_64 4.0-1.fc24
nbecker-mercurial-3 55 k

Transaction Summary
=============================================================================================================
Upgrade 23 Packages
Skip 2 Pac

“Side channel” in Haswell CPUs lets researchers bypass protection known as ASLR.

<a href="http://arstechnica.com/security/2016/10/flaw-in-intel-chips-could-make-malware-attacks-more-potent/" title="http://arstechnica.com/security/2016/10/flaw-in-intel-chips-could-make-malware-attacks-more-potent/">http://arstechnica.com/security/2016/10/flaw-in-intel-chips-could-make-m...</a>

problem with gmp f24? undefined reference to symbol '__gxx_personality_v0@@CXXABI_1.3'

cc -c test_gmp.cpp
cc -o a.out test_gmp.o -lgmp -lgmpxx
/usr/bin/ld: test_gmp.o: undefined reference to symbol
'__gxx_personality_v0@@CXXABI_1.3'
/usr/lib64/libstdc++.so.6: error adding symbols: DSO missing from command
line
collect2: error: ld returned 1 exit status

Here is test_gmp.cpp:
#include <gmpxx.h>
int main() {
mpz_class a(1);
return a == 0;
};

having trouble with bodhi

[nbecker@nbecker2 Cython]$ bodhi -n -r F23 -t bugfix -b 1343331
Cython-0.23.4-3.fc23
No handlers could be found for logger "fedora.client.bodhi"
Creating a new update for Cython-0.23.4-3.fc23
Traceback (most recent call last):
File "/usr/bin/bodhi", line 537, in <module>
main()
File "/usr/bin/bodhi", line 251, in main
data = bodhi.save(**extra_args)
File "/usr/lib/python2.7/site-packages/fedora/client/bodhi.py", line 93,
in wrapper
raise BodhiClientException(problems)
fedora.client.bodhi.BodhiClientException: Required

OK, how about another test?
[nbecker@nbecker2 Cython]$

build stuck?

<a href="http://koji.fedoraproject.org/koji/taskinfo?taskID=14421664" title="http://koji.fedoraproject.org/koji/taskinfo?taskID=14421664">http://koji.fedoraproject.org/koji/taskinfo?taskID=14421664</a>

rpm: %patch needs --fuzz

In an rpm .spec I need a patch with more fuzz

%patch macro

doesn't seem to accept --fuzz=xxx

What's a good solution?

can't login to koji - ssl error

chrome is refusing to login to:

<a href="https://koji.fedoraproject.org/koji/login" title="https://koji.fedoraproject.org/koji/login">https://koji.fedoraproject.org/koji/login</a>

This site can’t provide a secure connection

koji.fedoraproject.org sent an invalid response.
Try:
Reloading the page
Learn more about this problem.
ERR_SSL_PROTOCOL_ERROR

Appears to be a deprecation in chrome 50:
<a href="https://developers.google.com/web/updates/2016/03/chrome-50-deprecations?hl=en&amp;p=ir_ssl_error&amp;hl=en&amp;rd=1#remove-insecure-tls-version-fallback" title="https://developers.google.com/web/updates/2016/03/chrome-50-deprecations?hl=en&amp;p=ir_ssl_error&amp;hl=en&amp;rd=1#remove-insecure-tls-version-fallback">https://developers.google.com/web/updates/2016/03/chrome-50-deprecations...</a>

update mercurial to 3.7.1 in rawhide and F24

I'd like to update to latest mercurial. I built 3.7.1 in rawhide, and
AFAICT there's no problem using it with tortoisehg-3.7.1-fc24.

I'd like to update mercurial in F24 - AFAIK there should not be any
compatibility issues.

Any objections?

Cython is failing to build (%check) on f24 (gcc6)

Running %check is giving a compile error. What's the easiest way to see
what the error message is?

<a href="https://kojipkgs.fedoraproject.org//work/tasks/3468/12893468/build.log" title="https://kojipkgs.fedoraproject.org//work/tasks/3468/12893468/build.log">https://kojipkgs.fedoraproject.org//work/tasks/3468/12893468/build.log</a>

Update mercurial in rawhide to 3.6.2

I'd like to update to the current mercurial version 3.6.2.

Affected packages are:

dnf repoquery --whatrequires mercurial
Last metadata expiration check performed 0:02:51 ago on Thu Dec 24 14:05:58
2015.
fusionforge-plugin-scmhg-0:6.0.2-1.fc23.noarch
git-remote-hg-0:0.2-6.fc23.noarch
gitifyhg-0:0.8.4-3.fc23.noarch
gwsmhg-0:0.13.2-4.fc23.noarch
hg-git-0:0.8.2-1.fc23.noarch
hgsubversion-0:1.8.3-1.fc23.noarch
hgsvn-0:0.2.3-4.fc23.noarch
hgsvn-0:0.3.12-1.fc23.noarch
hgview-common-0:1.8.2-3.fc23.noarch
python-anyvc-0:0.3.7.1-6.fc23.noarch
python-hgapi-0:1.7.2-2.fc23.noarch
python-hghooks-0:0.6.0-

python-cycler has broken dependencies in the rawhide tree:

python-cycler has broken dependencies in the rawhide tree:
On x86_64:
python3-cycler-0.9.0-4.fc24.noarch requires python(abi) = 0:3.4
On i386:
python3-cycler-0.9.0-4.fc24.noarch requires python(abi) = 0:3.4
On armhfp:
python3-cycler-0.9.0-4.fc24.noarch requires python(abi) = 0:3.4

I'm guessing it just needs to be rebuilt? How do I do this?

I tried:
fedpkg build
Could not execute build: Package python-cycler-0.9.0-4.fc24 has already been
built
Note: You can skip this check with --skip-nvr-check. See help for more info.

What is Source0 tag for this?

What is syntax for Source0 tag for git tag v0.9.0 tarball for this?

<a href="https://github.com/matplotlib/cycler/tree/v0.9.0" title="https://github.com/matplotlib/cycler/tree/v0.9.0">https://github.com/matplotlib/cycler/tree/v0.9.0</a>

And how can I verify it works?

What license is this?

I'm trying to package python-cycler for matplotlib. It has the attached
LICENSE file. What should I put for license: tag?

fedora-review --prebuilt still requires mock??

According to fedora-review man page:

-p, --prebuilt
When using -n <name>, use prebuilt rpms in current directory instead of
building new ones in mock

But if I try:

fedora-review --prebuilt -n python-cycler-0.9.0-1.fc23.noarch.rpm

I get this dialog:

You are attempting to run "mock" which requires administrative privileges,
but more information is needed in order to do so.

I was hoping to avoid running mock.

update rawhide to mercurial 3.6?

I am proposing to update mercurial in rawhide to 3.6 (the current release).
This could cause temporary breakage of tortoisehg and hg-git. Any
objections?

nothing provides /bin/python needed by mercurial-3.5-1.fc23.x86_64

I'm stuck on this (again). According to advice here:

<a href="https://lists.fedoraproject.org/pipermail/devel/2015-June/211666.html" title="https://lists.fedoraproject.org/pipermail/devel/2015-June/211666.html">https://lists.fedoraproject.org/pipermail/devel/2015-June/211666.html</a>

I just needed to use
Requires: /usr/bin/python

But I tried changing

Requires: python

to

Requires: /usr/bin/python

and it doesn't work.

need rpm help (nothing provides /bin/python)

I updated mercurial to mercurial-3.4.1-1 and did a fedpkg push.

Now I tried a local build, and tried to locally install, but I got:
sudo dnf install x86_64/*3.4.1*
[sudo] password for nbecker:
Last metadata expiration check performed 0:22:21 ago on Tue Jun 23 06:57:18
2015.
Error: nothing provides /bin/python needed by mercurial-3.4.1-1.fc23.x86_64.
nothing provides /bin/python needed by mercurial-3.4.1-1.fc23.x86_64

Anyone see how to fix this?

Also, can someone please confirm that I correctly took care of
obsoleting the mercurial-emacs{-el} as per:

<a href="https://fedoraproject.org/wiki/Packa" title="https://fedoraproject.org/wiki/Packa">https://fedoraproject.org/wiki/Packa</a>

dnf install just stops - no explanation

[nbecker@nbecker2 scma-unframed.py3]$ sudo dnf install h5py python3-h5py
[sudo] password for nbecker:
Last metadata expiration check performed 2:15:03 ago on Tue Jun 9 07:02:31
2015.
Dependencies resolved.
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
h5py x86_64 2.4.0-1.fc22 fedora
673 k
liblzf x86_64 3.6-9.fc22

no product firewall-config in bugzilla?

rpm -qf /usr/bin/firewall-config
firewall-config-0.3.13-7.fc22.noarch

But I can't select firewall-config in BZ!
I filed my bug under firewalld instead.
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1227419" title="https://bugzilla.redhat.com/show_bug.cgi?id=1227419">https://bugzilla.redhat.com/show_bug.cgi?id=1227419</a>

default btrfs partitioning setup

I have an older setup created by anaconda from 2013, and it looks like

UUID=7246327b-1905-4fe2-9b6b-b9376017264f / btrfs
subvolid=5,subvol=root00 0 0
UUID=2c04be93-34c1-4016-ba41-60fd9fd90616 /boot ext4
defaults 1 2
UUID=7246327b-1905-4fe2-9b6b-b9376017264f /home btrfs
subvol=home 0 0

So we have only 1 disk. There is 1 btrfs partition, but root and home are 2
different btrfs subvolumes.

unable to get new certificate?

fedora-packager-setup
Setting up Fedora packager environment
Certificate has expired, getting a new one
FAS Password:
[... silence ]

Seems to just hang